[opensuse] rsyslog equivalent of syslog-ng match() ?
I'm slowly beginning to move/migrate to rsyslogd - I can't quite find a useful equivalent to match() from syslog-ng. It looks like I need to use property based filters, as regexes are not available in the expression filters? -- Per Jessen, Zürich (12.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 12 October 2010 17:33:44 Per Jessen wrote:
I'm slowly beginning to move/migrate to rsyslogd - I can't quite find a useful equivalent to match() from syslog-ng. It looks like I need to use property based filters, as regexes are not available in the expression filters?
:msg, regex, "my.*regular..?expression" No? http://www.rsyslog.com/doc/rsyslog_conf_filter.html Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Tuesday 12 October 2010 17:33:44 Per Jessen wrote:
I'm slowly beginning to move/migrate to rsyslogd - I can't quite find a useful equivalent to match() from syslog-ng. It looks like I need to use property based filters, as regexes are not available in the expression filters?
:msg, regex, "my.*regular..?expression"
No?
No, that is a property filter, not an expression ditto and it has a different syntax. I also can't see how property filters are combined? Anyway, how would you write the following syslog-ng filter for rsyslogd: filter per2 { facility(mail) and match("relay=virtual.*status=sent"); }; I've come up with this sofar, which will probably be fine, but it's not exactly the same: if ($syslogfacility-text=='mail') and \ ($msg contains 'relay=virtual') and ($msg contains 'status=sent') I can't help wondering why there is no support for: if ($msg regex '....') -- Per Jessen, Zürich (12.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
Anyway, how would you write the following syslog-ng filter for rsyslogd:
filter per2 { facility(mail) and match("relay=virtual.*status=sent"); };
I've come up with this sofar, which will probably be fine, but it's not exactly the same:
if ($syslogfacility-text=='mail') and \ ($msg contains 'relay=virtual') and ($msg contains 'status=sent')
Just in case anyone is wondering - the above works. I had a little trouble getting the right timestamp format, but I got that sorted out too. I would still be interested to know how one can combine property filters? Also, I guess the hyphen before a log filename is to allow buffering (isn''t that how to old syslog did it?), but it's not mentioned in the man page. -- Per Jessen, Zürich (8.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Anders Johansson -
Per Jessen